Meeting minutes
Phil Archer: I'm watching IRC and not Zoom, so please post in IRC if you need anything
… Hiroyuki Sano, could you please introduce yourself?
Hiroyuki Sano: I met many of you at past events
Phil Archer: right. Hiroyuki Sano is from Sony
Ted Thibodeau Jr.: I'm Ted and have been attending many of these calls for many years
… I will be absent next week, but should be in the week after
Phil Archer: thank you, Ted. Anyone else want to do an introduction?
… k. let's move on to discuss the face-to-face
<Phil Archer> https://
Phil Archer: I think everyone who's coming has already filled in the attendance form
… but if you haven't and plan to come in person, we need to know now
… so if fill that in if you're coming
Manu Sporny: for the face to face, I think we've got several threat modeling things we want to do
<Manu Sporny> Render Method threat model: https://
<Manu Sporny> Recognized Entities: https://
Manu Sporny: and in prep for that, I've created a few documents that cover some brainstroming we've been doing in other groups
<Manu Sporny> VC Data Model: https://
<Manu Sporny> VC Barcodes: https://
Manu Sporny: the usefulness of using a Google Doc for this is that anyone can contribute and then editors can clean it up
Manu Sporny: we also have a VCALM one that might show up soon
Joe Andrieu: I'll try and find that one too
… I wanted to mention that Simone may be available to help facilitate for us at the face to face
… not sure of the logistics, but he's at least the right timezone
<Phil Archer> Agenda
Joe Andrieu: so, chairs, perhaps we can add that to the agenda
Phil Archer: that does sound good
… we've got coffee breaks scheduled so far at least!
… and we've started accommodating remote participants for some discussions
<Joe Andrieu> VCALM draft threat model https://
Phil Archer: so if we can find a time that works for Simone, then we should try and schedule that
Manu Sporny: Joe Andrieu do we have a VC Data Model threat model yet?
Joe Andrieu: my hope was to work backwards to that
… our different task forces seem to have very different attack surfaces
… but yes, the VCDM threat model is still on the horizon
Phil Archer: most of the EU is taking the day off tomorrow, so scheduling Simone may be tricky
… Brent Zundel Ivan Herman can one of you get Simone scheduled?
Ivan Herman: do we have a preference for the day?
Phil Archer: there's a link to the draft agenda in chat
… so looking at that, it's ideally Tuesday afternoon
… maybe after lunch?
Ivan Herman: k. I'll start there and see what simone needs
<Phil Archer> Social event, Wednesday
Phil Archer: agreed. we can work to accommodate simone's schedule
… there's a social event, please sign up!
… the face to face is 3 weeks away
… Jenny, can you scribe?
Jenny: not this week, I'm on the phone
Phil Archer: thank you, sounds good. bigbluehat please continue
w3c/vc-wg#13
Phil Archer: Ivan Herman, please set the stage
Ivan Herman: I promised I'd do an overview, so here goes
<Ivan Herman> https://
Ivan Herman: this PR includes a table of all the vocabularies in progress
… their context files, formal URLs for the vocabs, etc.
… where they're stored, etc.
… hopefully, I did not forget anything
… Manu Sporny and Dave Longley have reviewed so far
… the question we have to answer is whether we continue this structure
… using version numbers, etc.
… and we might need to bump version numbers for context files, vocabs, etc.
… we haven't historically done this specifically this way, so we need to define this more strictly this time
… and we need to decide where we put new terms--existing vocabs? or new ones?
… not all of this needs to be decided today, but we should set down some governance
Manu Sporny: +1 to the PR
Manu Sporny: Suggested changes I made you merged in, Ivan Herman, thank you. The rest looked good to me, it aligns with what we've been doing for many years now, +1 to that.
Manu Sporny: With respect to what are the governing principles for the future with vocabs and context files, a couple of thoughts.
Manu Sporny: Ivan Herman has created a really useful tool called yml2vocab and it can take a vocab file and auto-generate well-formed JSON-LD context files. He has refined this over the years and we don't even need to handcraft those now we just generate them. We should use that by default for any work in this group.
Manu Sporny: I think there are some challenges where there are -- like a subset where we want to define something in a base vocab and only use a subset in a context file and, Ivan Herman, that might be another feature we might need.
Manu Sporny: Ideally want to lock in all the URLs for the extension specifications
… so we need to decide for VC Barcodes
… I'd suggest we put all the extension terms into the VC Data Model vocab
… and for the JSON-LD context files, we need to do 2 things
… a tiny JSON-LD context so those can be mixed into other things like VC1.1 implementations
… as well as getting those terms into a VCv2.1 context containing all the new extension terms
… and make sure all the vocab URLs are in `w3.org` space
Phil Archer: thank you
… as someone who was not deeply involved by how this came about, this looks like a "dog's dinner"
… I know there's a lot of things in-flight with implementations happening alongside specification writing
… but now we have multiple namespaces
… some in `w3id.org`, some in `w3.org`
… the terms specified in the VCDM as part of the recommendation, then part of the process should be to show that those terms have been used
… and in an ideal world (which is not the one we're in), we'd go back in time and fix all the URIs properly
… and we could add all those terms as a sidecar to the main vocab
… but, absent that, it would be good to help developers to explain all the vocab terms
… how they came into being, etc.
… if that's not absurd, then we need some sort of entry point to this
Phil Archer: I'd love for them to be outside the main vocab, because it all feels like a mess to me
Manu Sporny: it may feel like a mess
… because you now see the gory details
… folks outside just use the VCDM context
… so they just copy/paste a URL and they're done
… so maybe you're reacting to the "sausage making"?
… and not what most developers will need
… Ivan Herman's done a great job of tracking all that down already
… it'd be great to have a front door, like you descibe
… and start with "just use the VCDM context" to get started
… and then maybe mention how to augment that if/when needed
… we very consciously built this as a decentralized system
… and to some extent this is exactly how this should play out
<Dave Longley> yay for decentralized innovation! -- coming together again afterwards is important too to help people understand, +1 for "entry points"
Manu Sporny: we've talked about doing a "clean up"/renaming before, and that usually just runs into what implementations are already doing
… so, I think from the outside, I think it looks OK
… but I agree it is hard/ugly from inside the group
Ivan Herman: I do agree with you Phil Archer
… I don't really buy the "it's decentralized" argument, because it's all built by mostly the same group
… but however it happened, what's done is done
… happily, though, most of this is starting to take a consistent shape
… so, if we can continue that, we are at least sort of OK
… for the "entry point" document, I'd still need to know more about what it would contain
… it should probably get folded into the overview document
… having it as a separate document feels too abstract for most people to care about
… but we can discuss that
Phil Archer: I think that's a great idea to add it to the overview doc
… point people to the VCDM context and call it good
… just a reminder, if you are naturally quiet person, please feel free to type
… we want to hear from you
Olvis Enrique Gil Ríos: I appreciate the chance to talk
… I want to say a consistent vocabulary adds a lot of value
… for an architecture perspective, a lot of work has been done for the years--which is great and amazing
… but we also have to consider the current reality
… and think this through from a user perspective
… and we should think through some alternative ways related to AI
… because when we develop documentation and standards, considering AI seems very relevant
… especially it we include CLIs and things for agents to use
Olvis Enrique Gil Ríos: having these vocabs and terms will have a lot of value
Manu Sporny: I think we're getting into some academic purity
… so, I don't think we're going to reach some level of academic purity
… we approached the W3C about a redirect service, and they said no
<Dave Longley> +1 to Manu Sporny ... decentralization was required here to make progress
Manu Sporny: which is why we now have `w3id.org`
… which is fine
… but now we have what we have
… there's no consistency of use across domain names
… even when TLDs were originally intended to classify businesses with `.com`, etc.
… we really shouldn't fear the URLs that get used in these contexts and vocabs
… because controlling them isn't really achievable
… we can try, but we continue to make decisions that cause problems
<Dave Longley> try for cohesion and consistency where you can get it, but accept it's ok when you don't always get it (because the trade offs are better than gatekeeping)
Manu Sporny: like putting the VCDM in front of Data Integrity
<Phillip Long> An index page, that Phil A and Manu Sporny have mentioned previously is still a good idea. But that's encough.
Manu Sporny: that was a political choice...and a bad one
… Data Integrity can be used on it's own
… but now it has this awkward VCDM namespace in front of it
… which confuses people
… and that confusion is not technical, but political
Brent Zundel: w3id.org got brought up as a possibility for the W3C to take on
Manu Sporny: yes!
https://github.com/w3c/vc-data-integrity/issues
Phil Archer: Manu Sporny you have issues in the Data Integrity spec
Manu Sporny: just to make folks aware of what that Task Force is doing
w3c/vc-data-integrity#344
Manu Sporny: Greg is involved in this one
… Greg has taken on the unenviable task of refactoring all the algorithms across all the specs to look for commonalities
… and then move those into the core Data Integrity spec
… such as selective disclosure ones
… many of these are in cryptosuite sub-specs
… and in issue 344 Greg's working on mapping that out
… and now that we have FPWDs, he's going to move a bunch of stuff around that is purely editorial
… that is in prep for the post-quantum work coming into the group
… anyone have concerns with any of that?
Phil Archer: my understanding of what you say, is that it should be a good deal easier to follow what's going on
<Dave Longley> and reusability of all the algorithms across specs
Phil Archer: and an improvement in readability and consistently
Manu Sporny: yes, we have others making new cryptosuites, and this should let them reference existing stuff vs. copy/pasting or recreating it
… Greg would love help if anyone is interested/able
<Dave Longley> +1 to this being an excellent editorial upgrade
Manu Sporny: I will note there are a number of "future" issues
… and I think we're in the future now
… should we process those today? or put them on a future call?
Phil Archer: if there are one or two you want to look at, we can now
w3c/vc-data-integrity#340
Manu Sporny: yes, issue 340
… this is about cryptographic primitives used on existing mobile phones
… there is a question around how much we should speak to existing tech
… there are not secure enclaves on phones today--and I haven't heard of any coming in the next year--that handle post-quantum cryptography
… so, Apple, for example only support ECDSA
… we could warn people that current mobile phones when a quantum computer shows up
… and these existing folks will not be able to safely do a presentation with any of the existing cryptography available on those phones when that happens
… we'd have to quickly shift things to newer cryptography
Brent Zundel: large tech companies rarely share explicit timelines
… however, Google said they're planning a fell post-quantum rollout by 2029
… and they do explicitly mention Android being prepared for that
… so future phones should be more PQ capable than current ones
… and perhaps those show up sooner than later
… for example, I work for a hardware company and we've got an alpha device that is post-quantum ready
Ivan Herman: how does this effect our specifications, because that is what we're really responsible for
Phil Archer: I think that's related to my question. I translate what's being said to wonder how much it matters
Phil Archer: are we talking about exclusively smart phones? there are certainly other things out there
Manu Sporny: +1 to what Brent Zundel said, there is new stuff coming
… however, what about the people who don't upgrade
… it's far less of a concern for large companies using cloud-based HSMs
… but consumers will suffer
… if they get into self-sovereign wallets on their current phones
… and don't upgrade--for financial reasons or any other reason--they'll be at risk
… so, should our specifications state that wallets should be prepared to do software-based post-quantum
Kevin Dean: I don't think we do this in a spec
… this is a very broad problem
… we can mention it, but really this would be in a threat model doc
Phil Archer: is that the answer you needed Manu Sporny ?
Overview
<Phil Archer> https://
Manu Sporny: yeah, sound like "write threat model text"
Phil Archer: Ivan Herman wrote an Overview document awhile back
… and I'm keen to get more folks involved
… this doc is our primer / start-here / etc.
… and I wonder if people in this group who are not the "usual suspects" who talk a lot
… could look to contribute to this Overview document
… and to see if you might write some new text for this document
… it would help everyone
Ivan Herman: I'm very supportive of what you said
… but it might be a bit early
… we could get a unified architecture of the whole thing into this document...eventually
… but right now there are a high number of satellite documents
… and those need to settle down
… so, 3-4 months from now, that would be great
Phil Archer: so, TPAC?
Ivan Herman: yeah, that would be better
Phil Archer: following our face-to-face will be in October in Dublin
… 2027 will be in December in Panama
… thank you everyone!